March 08, 2017 | Ed Johnson-Williams

CIA and GCHQ hacking – they must clear up their own mess

US intelligence agencies are working with the UK to stockpile vulnerabilities that they can use to hack Windows and Mac computers, iOS and Android smartphones, and smart TVs. The UK Government has serious questions to answer.

The agencies will use these vulnerabilities for targeted surveillance. However vulnerabilities can also be discovered and exploited by criminals and other countries’ intelligence agencies. GCHQ's decision to keep their exploits secret could have devastating effects for society at large.

It is likely that the CIA and GCHQ are not the only organisations with knowledge of these vulnerabilities with the capability to exploit them. The agencies have, possibly through their own mistakes, increased the risks vastly by failing to ensure that the vulnerabilities are either reported or kept to themselves.

Many of the vulnerabilities disclosed in the CIA's files came from UK intelligence agencies including GCHQ. The UK Government has some serious questions to answer. These include:

  1. How does the Government ensure that GCHQ’s process for deciding whether to exploit or report a vulnerability is adequate? Are they creating unnecessary risks for organisations and individuals?

  2. How do oversight bodies check that GCHQ’s policies for assessing the risk of keeping an active vulnerability secret are sufficiently robust?

  3. Did any hacking operations reduce the security and privacy of an individual/organisation with respect to other actors?

  4. Is the authorisation process sufficient to avoid future problems?

  5. How will the UK government and agencies work to clean up the mess created by their decision not to report these vulnerabilities to the vendors?

While targeted surveillance is a legitimate aim, we need to know that government regulation of this area is sufficient. Governments should be regulating the way their intelligence agencies hoard and use vulnerabilities that affect devices owned by millions of ordinary people. From what we learnt during the passage of the Investigatory Powers Act, it appears that the ‘creation’ of techniques is not really regulated at all.

Whatever benefits there may have been to GCHQ and the US agencies in stockpiling these vulnerabilities to use for "good", the race is now on to repair them as fast as possible. NSA and GCHQ must disclose what they know about repairing these vulnerabilities and how they might be exploited to assist in this effort. The agencies must now work with the manufacturers of internet-connected devices like phones, laptops, TVs and routers, but potentially also fridges, toasters and home automation systems to repair the vulnerabilities.

Even if intelligence agencies report the vulnerabilities to device manufacturers, this does not mean that the devices will immediately be secure. The devices need to be updated to fix vulnerabilities. Manufacturers of Internet-connected devices have an ongoing responsibility to prioritise security, to actively test the security of the devices they sell, and to push out security updates to fix known vulnerabilities, which does not always happen.

At the moment, we have a secretive and unaccountable system of device hacking, badly in need of accountability and oversight. We should remember that our worry is only partly the agencies. It is the results of their actions, especially through enabling criminality, that we most need to worry about.

Comments (1)

  1. S Kleen:
    Mar 15, 2017 at 12:50 PM

    I am so tired of the “surprise” by the people in charge of our nation’s secrets that so much data can be stolen. As the writer at I can state that this vulnerability is a direct result of the cyber dinosaurs enamored by the power of the machines so much that they ignore common sense. One does not put all of their eggs in one basket and one does not put all of their money in one institution and one should NOT put all of there sensitive data in one place. It is okay for a civilian cell phone or the latest digital data device but not for the nation’s most sensitive secrets

    Imagine if Podesta and Clinton had a dozen email accounts that they randomly shared with specific email correspondants. And of course one would have to have them on a dozen color coded devices.

    The central problem is the leaders of these organizations rely on the cyber dinasaurs who create this problem of cyber theft. In essence besides compartmentalizing the data, one creates a system of data bots to access the data. AI bots analyze the data request and provide all sorts of audit and security features. Sure some political appointee might have to wait a few nano seconds longer to get their data, but building a system solely dependent on passwords is simply stupid and in the case of government should be criminally STUPID.